The Department of Health and Human Services (“HHS”) has issued a model attestation form for any “Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care.” The attestation is needed to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) regulations.
Law. The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other protected health information (“PHI”). The Privacy Rule applies to: covered entities, including group health plans and their business associates; health care clearinghouses; and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires covered entities to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI by covered entities without individual authorization.
HHS recently issued final regulations that strengthen HIPAA’s Privacy Rule by prohibiting the disclosure of PHI related to lawful reproductive health care in certain circumstances. According to HHS, these regulations “bolster[s] patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.”
New Regulations. The new regulations:
- Prohibit the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
- Require a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for “prohibited purposes.”
- Require regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.
Attestation. When a HIPAA covered entity or business associate receives a request for PHI potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for “prohibited purposes,” when the request is for: (i) health oversight activities; (ii) judicial or administrative proceedings; (iii) law enforcement; or (iv) information regarding decedents, disclosures to coroners and medical examiners.
“Prohibited purposes” include: (i) conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care; (ii) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care; or (iii) identifying any person for any purpose described in (i) or (ii).
The Model Attestation Form is available at: https://www.hhs.gov/sites/default/files/model-attestation.pdf